Delve – Fake Compliance as a Service

Original Article ↗ Hacker News Discussion ↗

Allegations Against Delve

  • Commenters view the evidence as strong that Delve enabled or facilitated fake SOC 2 / ISO reports: pre-filled policies, controls, and even board minutes, with audit “conclusions” generated before data was provided.
  • Several people verified that their own or vendors’ SOC 2 reports matched the leaked templates, suggesting auditors didn’t truly validate controls.
  • The extremely low pricing and “SOC 2 in days” pitch are widely seen as red flags incompatible with legitimate, labor-intensive audits.

Auditors, SOC 2, and Compliance Industry

  • Many argue the core scandal is the auditor network: opaque or shell-like firms, uncertain who the actual CPA is, and extremely low-rigor reports.
  • Some note this exposes a larger problem: SOC 2 and similar frameworks are already heavily box-ticking and often meaningless in practice, making the system ripe for mills.
  • Others counter that, despite imperfections, SOC 2 is still useful as a minimal bar and blueprint, and deliberate fraud is qualitatively worse than “normal” compliance theater.

Due Diligence, VC, and YC Culture

  • People are astonished that large funds invested tens of millions with seemingly minimal diligence, despite obvious signals: very young founders, hype-heavy branding (dropout/30-under-30), and an implausible value proposition.
  • Several tie this to a perceived culture in parts of YC/VC where “being scrappy” shades into normalizing dishonesty and aggressive bluffing.

HN Moderation and “Suppression” Debate

  • Multiple users suspected the story was suppressed due to YC ties.
  • A moderator explained it was auto-downweighted by a voting-ring detector; once noticed, staff merged duplicates and manually restored it to the front page.
  • Some remain skeptical of the detector behavior; others appreciate the transparency.

Ethics, Shared Blame, and Author’s Role

  • Commenters note the whistleblower also admitted to using Delve to misrepresent their own security posture to close deals, only turning against Delve later.
  • This fuels a broader discussion about founders, customers, auditors, and regulators collectively enabling compliance-as-theater and blame-shifting.

Delve’s Public Response

  • Delve’s blog response is widely characterized as a “non-denial denial”: framing issues as misunderstandings, calling templates mere “starting points,” and casting the article as a competitive “attack.”
  • Many see it as evasive, lacking accountability for marketing claims and auditor selection, and implicitly confirming key practices while denying responsibility.

Practical Concerns

  • Readers ask what to do if they or their vendors used Delve: whether to reject such certifications and require re-audits.
  • Some recommend working directly with reputable auditors and using automation tools only as support, not as end-to-end “compliance in days.”